Hello Kendal, I would like to monitor the hosts of each of my indexes to see if they are sending logs. I want to identify them on a heat map where the index names are listed on the left side, and ...
See more...
Hello Kendal, I would like to monitor the hosts of each of my indexes to see if they are sending logs. I want to identify them on a heat map where the index names are listed on the left side, and each square in the row represents a host and is colored depending on its health status.
HI,
I'm running a search for two different timeranges, for missing datapoint pair it's creating discrepancy with my calculations. I need accurate diff so fillnull value is not an option, I would p...
See more...
HI,
I'm running a search for two different timeranges, for missing datapoint pair it's creating discrepancy with my calculations. I need accurate diff so fillnull value is not an option, I would prefer want to remove _time row if it's missing a pair for the same timestamp, any hints appreciated.
Got an idea with below but despite moving around my stats
| stats count values(marker) as pairstamp by _time
| where count=2
Hi haleyh44, You might consult the following: https://docs.splunk.com/Documentation/Splunk/9.3.0/Deploy/Distributedoverview https://docs.splunk.com/Documentation/SVA/current/Architectures/Abou...
See more...
Hi haleyh44, You might consult the following: https://docs.splunk.com/Documentation/Splunk/9.3.0/Deploy/Distributedoverview https://docs.splunk.com/Documentation/SVA/current/Architectures/About?301=/pdfs/technical-briefs/splunk-validated-architectures.pdf
Currently, I have a single Splunk server that is performing all the necessary functions. However, I would like to expand my infrastructure by deploying two new physical servers: one for an additional...
See more...
Currently, I have a single Splunk server that is performing all the necessary functions. However, I would like to expand my infrastructure by deploying two new physical servers: one for an additional indexer and another for a dedicated search head. I am using Windows Server 2019.I would appreciate guidance on the best approach to achieve this. Specifically, I would like to know the steps involved in setting up another indexer and search head. Any advice or guidance is appreciated!
Hi @Vikash.Vardhan,
Thanks for asking your question on the Community. It's been a few days with no reply. Did you happen to find any new information or a solution you can share here on this post? ...
See more...
Hi @Vikash.Vardhan,
Thanks for asking your question on the Community. It's been a few days with no reply. Did you happen to find any new information or a solution you can share here on this post? If you are still seeking help, you can contact Cisco AppDynamics Support: AppDynamics is migrating our Support case handling system to Cisco Support Case Manager (SCM). Read on to learn how to manage your cases.
Hi @Anup.Thatte,
Did you read the latest reply from @MARTINA.MELIANA? Did their reply help? If so, take a quick second and click the "Accept as Solution" button on the reply that helped. If not, re...
See more...
Hi @Anup.Thatte,
Did you read the latest reply from @MARTINA.MELIANA? Did their reply help? If so, take a quick second and click the "Accept as Solution" button on the reply that helped. If not, reply back here to keep the conversation going.
I also sorted by Owner ascending and going to page 2 where the user shows up and the job actually doesn't show up in the job manager page. I also tried to filter by the user and they don't show up as...
See more...
I also sorted by Owner ascending and going to page 2 where the user shows up and the job actually doesn't show up in the job manager page. I also tried to filter by the user and they don't show up as an option. I can only filter by me as Owner or All.
Thanks, Giuseppe did you disabled the local firewall on that machine (firewalld or iptables)? No are you trying to access Splunk on your machine or a different one? on my home machine if a diff...
See more...
Thanks, Giuseppe did you disabled the local firewall on that machine (firewalld or iptables)? No are you trying to access Splunk on your machine or a different one? on my home machine if a different one, instead of 127.0.0.1 you must use the IP address of the server. Other than disabling the firewall, is there a way around this?
Hi @MilezMontego , did you disabled the local firewall on that machine (firewalld or iptables)? are you trying to access Splunk on your own machine or a different one? if a different one, instead ...
See more...
Hi @MilezMontego , did you disabled the local firewall on that machine (firewalld or iptables)? are you trying to access Splunk on your own machine or a different one? if a different one, instead of 127.0.0.1 you must use the IP address of the server. Ciao. Giuseppe
Hi, I installed Splunk SOAR (on-premises)6.2.2 On a single server. Does anyone know how to get SOAR related services up and running again after the server restarts? Thank you!
Hi @chimuru84 , you should have a list of your users to be inserted in a lookup (called e.g. users.csv) with one column "id". then you could run something like the following: index=...... earliest...
See more...
Hi @chimuru84 , you should have a list of your users to be inserted in a lookup (called e.g. users.csv) with one column "id". then you could run something like the following: index=...... earliest=-365d
| stats count by id
| append [ | inputlookup users.csv | eval count=0 | fields id count ]
| stats sum(count) As total by id
| where total=0 Ciao. Giuseppe
Hi @raiqb01 , sorry but you are doing a little of confusion: ES isn't to install on Indexers and Cluster Manager, ES must be installed only on Search Head and (if you have a Search Head Cluster) on...
See more...
Hi @raiqb01 , sorry but you are doing a little of confusion: ES isn't to install on Indexers and Cluster Manager, ES must be installed only on Search Head and (if you have a Search Head Cluster) on Deployer. On the Indexers (using Cluster Manager) you must install an add-on that must be downloaded from ES installation on Search Heads. The issue that you're reporting isn't related to ES, but you should analyze your inputs add-on because the issue is probably related to the fact that you don's correctly assign the sourcetype to your logs. Look at the Linux Add-On if present. Then the Error 1 is related to a nn correct ES installation. Last: the Issue2 is related to few resources for your Indexers and Search Heads. Didì you followed the ES installation instructions (https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallEnterpriseSecurity) ? what's the reference hardware that you're using for ES (https://docs.splunk.com/Documentation/ES/7.3.2/Install/DeploymentPlanning ) ? Ciao. Giuseppe
Hi, While troubleshooting below error message: "The percentage of non high priority searches delayed (75%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk ...
See more...
Hi, While troubleshooting below error message: "The percentage of non high priority searches delayed (75%) over the last 24 hours is very high and exceeded the red thresholds (20%) on this Splunk instance. Total Searches that were part of this percentage=16. Total delayed Searches=12" how can I address actual issue? ============= while looking into the system, I found out that 1- Splunk ES app is installed under /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite. Can I remove the app from above location? 2- furthermore, The output of below query is : index=_internal sourcetype=scheduler savedsearch_name=* status=skipped | stats count BY reason 1- Error in 'SearchParser': The search specifies a macro 'notable' that cannot be found. Reasons include: the macro name is misspelled, you do not have... 2-The maximum number of concurrent running jobs for this historical scheduled search on this instance has been reached ================= I found that
Hello! I'm trying to implement a mechanism to flag users who have not had a third-party authentication verification in the last 365 days.
I tried this search, but is not give desired result.
inde...
See more...
Hello! I'm trying to implement a mechanism to flag users who have not had a third-party authentication verification in the last 365 days.
I tried this search, but is not give desired result.
index=......
| stats count by id
| search id=*
| eval Duration=relative_time(now(), "-365d@d")
| sort id
| table id Duration | dedup id
I'm grateful for any ideas. Thanks.
Good day, The URL http://127.0.0.1:8000/en-US/account/login?return_to=%2Fen-US%2F to Splunk is not working. Has the URL changed, or am I doing something wrong? Please help. Thanks,